keycloak-admin 1.1.2 → 1.1.4

data/bin/console

@@ -1,9 +1,9 @@
-#!/usr/bin/env ruby
-# frozen_string_literal: true
-
-require "bundler/setup"
-require "keycloak-admin"
-require "byebug"
-
-require "irb"
-IRB.start
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "bundler/setup"
+require "keycloak-admin"
+require "byebug"
+
+require "irb"
+IRB.start

data/keycloak-admin.gemspec

@@ -1,24 +1,24 @@
-$:.push File.expand_path("../lib", __FILE__)
-
-require "keycloak-admin/version"
-
-Gem::Specification.new do |spec|
-  spec.name        = "keycloak-admin"
-  spec.version     = KeycloakAdmin::VERSION
-  spec.authors     = ["Lorent Lempereur"]
-  spec.email       = ["lorent.lempereur.dev@gmail.com"]
-  spec.homepage    = "https://github.com/looorent/keycloak-admin-ruby"
-  spec.summary     = "Keycloak Admin REST API client written in Ruby"
-  spec.description = "Keycloak Admin REST API client written in Ruby"
-  spec.license     = "MIT"
-
-  spec.files = `git ls-files -z`.split("\x0")
-  spec.require_paths = ["lib"]
-
-  spec.required_ruby_version = '>= 2.3'
-
-  spec.add_dependency "http-cookie", "~> 1.0", ">= 1.0.3"
-  spec.add_dependency "rest-client", "~> 2.0"
-  spec.add_development_dependency "rspec",  "3.12.0"
-  spec.add_development_dependency "byebug", "11.1.3"
-end
+$:.push File.expand_path("../lib", __FILE__)
+
+require "keycloak-admin/version"
+
+Gem::Specification.new do |spec|
+  spec.name        = "keycloak-admin"
+  spec.version     = KeycloakAdmin::VERSION
+  spec.authors     = ["Lorent Lempereur"]
+  spec.email       = ["lorent.lempereur.dev@gmail.com"]
+  spec.homepage    = "https://github.com/looorent/keycloak-admin-ruby"
+  spec.summary     = "Keycloak Admin REST API client written in Ruby"
+  spec.description = "Keycloak Admin REST API client written in Ruby"
+  spec.license     = "MIT"
+
+  spec.files = `git ls-files -z`.split("\x0")
+  spec.require_paths = ["lib"]
+
+  spec.required_ruby_version = '>= 2.3'
+
+  spec.add_dependency "http-cookie", "~> 1.0", ">= 1.0.3"
+  spec.add_dependency "rest-client", "~> 2.0"
+  spec.add_development_dependency "rspec",  "3.13.2"
+  spec.add_development_dependency "byebug", "12.0.0"
+end

data/lib/keycloak-admin/client/attack_detection_client.rb

@@ -1,42 +1,42 @@
-module KeycloakAdmin
-  class AttackDetectionClient < Client
-    def initialize(configuration, realm_client)
-      super(configuration)
-      raise ArgumentError.new("realm must be defined") unless realm_client.name_defined?
-      @realm_client = realm_client
-    end
-
-    def lock_status(user_id)
-      raise ArgumentError.new("user_id must be defined") if user_id.nil?
-
-      response = execute_http do
-        RestClient::Resource.new(brute_force_url(user_id), @configuration.rest_client_options).get(headers)
-      end
-      AttackDetectionRepresentation.from_hash(JSON.parse(response))
-    end
-
-    def unlock_user(user_id)
-      raise ArgumentError.new("user_id must be defined") if user_id.nil?
-
-      execute_http do
-        RestClient::Resource.new(brute_force_url(user_id), @configuration.rest_client_options).delete(headers)
-      end
-      true
-    end
-
-    def unlock_users
-      execute_http do
-        RestClient::Resource.new(brute_force_url, @configuration.rest_client_options).delete(headers)
-      end
-      true
-    end
-
-    def brute_force_url(user_id = nil)
-      if user_id
-        "#{@realm_client.realm_admin_url}/attack-detection/brute-force/users/#{user_id}"
-      else
-        "#{@realm_client.realm_admin_url}/attack-detection/brute-force/users"
-      end
-    end
-  end
+module KeycloakAdmin
+  class AttackDetectionClient < Client
+    def initialize(configuration, realm_client)
+      super(configuration)
+      raise ArgumentError.new("realm must be defined") unless realm_client.name_defined?
+      @realm_client = realm_client
+    end
+
+    def lock_status(user_id)
+      raise ArgumentError.new("user_id must be defined") if user_id.nil?
+
+      response = execute_http do
+        RestClient::Resource.new(brute_force_url(user_id), @configuration.rest_client_options).get(headers)
+      end
+      AttackDetectionRepresentation.from_hash(JSON.parse(response))
+    end
+
+    def unlock_user(user_id)
+      raise ArgumentError.new("user_id must be defined") if user_id.nil?
+
+      execute_http do
+        RestClient::Resource.new(brute_force_url(user_id), @configuration.rest_client_options).delete(headers)
+      end
+      true
+    end
+
+    def unlock_users
+      execute_http do
+        RestClient::Resource.new(brute_force_url, @configuration.rest_client_options).delete(headers)
+      end
+      true
+    end
+
+    def brute_force_url(user_id = nil)
+      if user_id
+        "#{@realm_client.realm_admin_url}/attack-detection/brute-force/users/#{user_id}"
+      else
+        "#{@realm_client.realm_admin_url}/attack-detection/brute-force/users"
+      end
+    end
+  end
 end

data/lib/keycloak-admin/client/client.rb

@@ -1,56 +1,56 @@
-module KeycloakAdmin
-  class Client
-
-    def initialize(configuration)
-      @configuration = configuration
-    end
-
-    def server_url
-      @configuration.server_url
-    end
-
-    def current_token
-      @current_token ||= KeycloakAdmin.create_client(@configuration, @configuration.client_realm_name).token.get
-    end
-
-    def headers
-      {
-        Authorization: "Bearer #{current_token.access_token}",
-        content_type: :json,
-        accept:       :json
-      }
-    end
-
-    def execute_http
-      yield
-    rescue RestClient::Exceptions::Timeout => e
-      raise
-    rescue RestClient::ExceptionWithResponse => e
-      http_error(e.response)
-    end
-
-    def created_id(response)
-      unless response.net_http_res.is_a? Net::HTTPCreated
-        raise "Create method returned status #{response.net_http_res.message} (Code: #{response.net_http_res.code}); expected status: Created (201)"
-      end
-      (_head, _separator, id) = response.headers[:location].rpartition("/")
-      id
-    end
-
-    def create_payload(value)
-      if value.nil?
-        ""
-      elsif value.kind_of?(Array)
-        "[#{value.map(&:to_json) * ","}]"
-      else
-        value.to_json
-      end
-    end
-
-    private
-
-    def http_error(response)
-      raise "Keycloak: The request failed with response code #{response.code} and message: #{response.body}"
-    end
-  end
-end
+module KeycloakAdmin
+  class Client
+
+    def initialize(configuration)
+      @configuration = configuration
+    end
+
+    def server_url
+      @configuration.server_url
+    end
+
+    def current_token
+      @current_token ||= KeycloakAdmin.create_client(@configuration, @configuration.client_realm_name).token.get
+    end
+
+    def headers
+      {
+        Authorization: "Bearer #{current_token.access_token}",
+        content_type: :json,
+        accept:       :json
+      }
+    end
+
+    def execute_http
+      yield
+    rescue RestClient::Exceptions::Timeout => e
+      raise
+    rescue RestClient::ExceptionWithResponse => e
+      http_error(e.response)
+    end
+
+    def created_id(response)
+      unless response.net_http_res.is_a? Net::HTTPCreated
+        raise "Create method returned status #{response.net_http_res.message} (Code: #{response.net_http_res.code}); expected status: Created (201)"
+      end
+      (_head, _separator, id) = response.headers[:location].rpartition("/")
+      id
+    end
+
+    def create_payload(value)
+      if value.nil?
+        ""
+      elsif value.kind_of?(Array)
+        "[#{value.map(&:to_json) * ","}]"
+      else
+        value.to_json
+      end
+    end
+
+    private
+
+    def http_error(response)
+      raise "Keycloak: The request failed with response code #{response.code} and message: #{response.body}"
+    end
+  end
+end

data/lib/keycloak-admin/client/client_authz_permission_client.rb

@@ -0,0 +1,81 @@
+module KeycloakAdmin
+  class ClientAuthzPermissionClient < Client
+    def initialize(configuration, realm_client, client_id, type, resource_id = nil)
+      super(configuration)
+      raise ArgumentError.new("realm must be defined") unless realm_client.name_defined?
+      raise ArgumentError.new("bad permission type") if !resource_id && !%i[resource scope].include?(type.to_sym)
+
+      @realm_client = realm_client
+      @client_id = client_id
+      @type = type
+      @resource_id = resource_id
+    end
+
+    def delete(permission_id)
+      execute_http do
+        RestClient::Resource.new(authz_permission_url(@client_id, nil, nil, permission_id), @configuration.rest_client_options).delete(headers)
+      end
+      true
+    end
+
+    def find_by(name, resource, scope = nil)
+      response = execute_http do
+        url = "#{authz_permission_url(@client_id)}?name=#{name}&resource=#{resource}&type=#{@type}&scope=#{scope}&deep=true&first=0&max=100"
+        RestClient::Resource.new(url, @configuration.rest_client_options).get(headers)
+      end
+      JSON.parse(response).map { |role_as_hash| ClientAuthzPermissionRepresentation.from_hash(role_as_hash) }
+    end
+
+    def create!(name, description, decision_strategy,logic = "POSITIVE", resources = [], policies = [], scopes = [], resource_type = nil)
+      response = save(build(name, description, decision_strategy, logic, resources, policies, scopes, resource_type))
+      ClientAuthzPermissionRepresentation.from_hash(JSON.parse(response))
+    end
+
+    def save(permission_representation)
+      execute_http do
+        RestClient::Resource.new(authz_permission_url(@client_id, nil, permission_representation.type), @configuration.rest_client_options).post(
+          create_payload(permission_representation), headers
+        )
+      end
+    end
+
+    def list
+      response = execute_http do
+        RestClient::Resource.new(authz_permission_url(@client_id, @resource_id), @configuration.rest_client_options).get(headers)
+      end
+      JSON.parse(response).map { |role_as_hash| ClientAuthzPermissionRepresentation.from_hash(role_as_hash) }
+    end
+
+    def get(permission_id)
+      response = execute_http do
+        RestClient::Resource.new(authz_permission_url(@client_id, nil, @type, permission_id), @configuration.rest_client_options).get(headers)
+      end
+      ClientAuthzPermissionRepresentation.from_hash(JSON.parse(response))
+    end
+
+    def authz_permission_url(client_id, resource_id = nil, type = nil, id = nil)
+      if resource_id
+        "#{@realm_client.realm_admin_url}/clients/#{client_id}/authz/resource-server/resource/#{resource_id}/permissions"
+      elsif id
+        "#{@realm_client.realm_admin_url}/clients/#{client_id}/authz/resource-server/permission/#{type}/#{id}"
+      else
+        "#{@realm_client.realm_admin_url}/clients/#{client_id}/authz/resource-server/permission/#{type}"
+      end
+    end
+
+    def build(name, description, decision_strategy, logic, resources, policies, scopes, resource_type)
+      policy                   = ClientAuthzPermissionRepresentation.new
+      policy.name              = name
+      policy.description       = description
+      policy.type              = @type
+      policy.decision_strategy = decision_strategy
+      policy.resource_type     = resource_type
+      policy.resources         = resources
+      policy.policies          = policies
+      policy.scopes            = scopes
+      policy.logic             = logic
+      policy
+    end
+
+  end
+end

data/lib/keycloak-admin/client/client_authz_policy_client.rb

@@ -0,0 +1,76 @@
+module KeycloakAdmin
+  class ClientAuthzPolicyClient < Client
+    def initialize(configuration, realm_client, client_id, type)
+      super(configuration)
+      raise ArgumentError.new("realm must be defined") unless realm_client.name_defined?
+      raise ArgumentError.new("type must be defined") unless type
+      raise ArgumentError.new("only 'role' policies supported") unless type.to_sym == :role
+
+      @realm_client = realm_client
+      @client_id = client_id
+      @type = type
+    end
+
+    def create!(name, description, type, logic, decision_strategy, fetch_roles, roles)
+      response = save(build(name, description, type, logic, decision_strategy, fetch_roles, roles))
+      ClientAuthzPolicyRepresentation.from_hash(JSON.parse(response))
+    end
+
+    def save(policy_representation)
+      execute_http do
+        RestClient::Resource.new(authz_policy_url(@client_id, @type), @configuration.rest_client_options).post(
+          create_payload(policy_representation), headers
+        )
+      end
+    end
+
+    def get(policy_id)
+      response = execute_http do
+        RestClient::Resource.new(authz_policy_url(@client_id, @type, policy_id), @configuration.rest_client_options).get(headers)
+      end
+      ClientAuthzPolicyRepresentation.from_hash(JSON.parse(response))
+    end
+
+    def find_by(name, type)
+      response = execute_http do
+        url = "#{authz_policy_url(@client_id, @type)}?permission=false&name=#{name}&type=#{type}&first=0&max=11"
+        RestClient::Resource.new(url, @configuration.rest_client_options).get(headers)
+      end
+      JSON.parse(response).map { |role_as_hash| ClientAuthzPolicyRepresentation.from_hash(role_as_hash) }
+    end
+
+    def delete(policy_id)
+      execute_http do
+        RestClient::Resource.new(authz_policy_url(@client_id, @type, policy_id), @configuration.rest_client_options).delete(headers)
+      end
+      true
+    end
+
+    def list
+      response = execute_http do
+        RestClient::Resource.new(authz_policy_url(@client_id, @type), @configuration.rest_client_options).get(headers)
+      end
+      JSON.parse(response).map { |role_as_hash| ClientAuthzPolicyRepresentation.from_hash(role_as_hash) }
+    end
+
+    def authz_policy_url(client_id, type, id = nil)
+      if id
+        "#{@realm_client.realm_admin_url}/clients/#{client_id}/authz/resource-server/policy/#{type}/#{id}"
+      else
+        "#{@realm_client.realm_admin_url}/clients/#{client_id}/authz/resource-server/policy/#{type}?permission=false"
+      end
+    end
+
+    def build(name, description, type, logic, decision_strategy, fetch_roles, roles=[])
+      policy                   = ClientAuthzPolicyRepresentation.new
+      policy.name              = name
+      policy.description       = description
+      policy.type              = type
+      policy.logic             = logic
+      policy.decision_strategy = decision_strategy
+      policy.fetch_roles       = fetch_roles
+      policy.roles             = roles
+      policy
+    end
+  end
+end

data/lib/keycloak-admin/client/client_authz_resource_client.rb

@@ -0,0 +1,93 @@
+module KeycloakAdmin
+  class ClientAuthzResourceClient < Client
+    def initialize(configuration, realm_client, client_id)
+      super(configuration)
+      raise ArgumentError.new("realm must be defined") unless realm_client.name_defined?
+      @realm_client = realm_client
+      @client_id = client_id
+    end
+
+    def list
+      response = execute_http do
+        RestClient::Resource.new(authz_resources_url(@client_id), @configuration.rest_client_options).get(headers)
+      end
+      JSON.parse(response).map { |role_as_hash| ClientAuthzResourceRepresentation.from_hash(role_as_hash) }
+    end
+
+    def get(resource_id)
+      response = execute_http do
+        RestClient::Resource.new(authz_resources_url(@client_id, resource_id), @configuration.rest_client_options).get(headers)
+      end
+      ClientAuthzResourceRepresentation.from_hash(JSON.parse(response))
+    end
+
+    def update(resource_id, client_authz_resource_representation)
+      raise "scope[:name] is mandatory and the only necessary attribute to add scope to resource" if client_authz_resource_representation[:scopes] && client_authz_resource_representation[:scopes].any?{|a| !a[:name]}
+
+      existing_resource = get(resource_id)
+      new_resource = build(
+        client_authz_resource_representation[:name] || existing_resource.name,
+        client_authz_resource_representation[:type] || existing_resource.type,
+        (client_authz_resource_representation[:uris] || [] ) + existing_resource.uris,
+        client_authz_resource_representation[:owner_managed_access] || existing_resource.owner_managed_access,
+        client_authz_resource_representation[:display_name] || existing_resource.display_name,
+        (client_authz_resource_representation[:scopes] || []) + existing_resource.scopes.map{|s| {name: s.name}},
+        client_authz_resource_representation[:attributes] || existing_resource.attributes
+      )
+
+      execute_http do
+        RestClient::Resource.new(authz_resources_url(@client_id, resource_id), @configuration.rest_client_options).put(new_resource.to_json, headers)
+      end
+      get(resource_id)
+    end
+
+    def create!(name, type, uris, owner_managed_access, display_name, scopes, attributes = {})
+      save(build(name, type, uris, owner_managed_access, display_name, scopes, attributes))
+    end
+
+    def find_by(name, type, uris, owner, scope)
+      response = execute_http do
+        url = "#{authz_resources_url(@client_id)}?name=#{name}&type=#{type}&uris=#{uris}&owner=#{owner}&scope=#{scope}&deep=true&first=0&max=100"
+        RestClient::Resource.new(url, @configuration.rest_client_options).get(headers)
+      end
+      JSON.parse(response).map { |role_as_hash| ClientAuthzResourceRepresentation.from_hash(role_as_hash) }
+    end
+
+    def save(client_authz_resource_representation)
+      response = execute_http do
+        RestClient::Resource.new(authz_resources_url(@client_id), @configuration.rest_client_options).post(client_authz_resource_representation.to_json, headers)
+      end
+      ClientAuthzResourceRepresentation.from_hash(JSON.parse(response))
+    end
+
+    def delete(resource_id)
+      execute_http do
+        RestClient::Resource.new(authz_resources_url(@client_id, resource_id), @configuration.rest_client_options).delete(headers)
+      end
+      true
+    end
+
+    def authz_resources_url(client_id, id = nil)
+      if id
+        "#{@realm_client.realm_admin_url}/clients/#{client_id}/authz/resource-server/resource/#{id}"
+      else
+        "#{@realm_client.realm_admin_url}/clients/#{client_id}/authz/resource-server/resource"
+      end
+    end
+
+    private
+
+    def build(name, type, uris, owner_managed_access, display_name, scopes, attributes={})
+      resource                      = ClientAuthzResourceRepresentation.new
+      resource.name                 = name
+      resource.type                 = type
+      resource.uris                 = uris
+      resource.owner_managed_access = owner_managed_access
+      resource.display_name         = display_name
+      resource.scopes               = scopes
+      resource.attributes           = attributes || {}
+      resource
+    end
+
+  end
+end

data/lib/keycloak-admin/client/client_authz_scope_client.rb

@@ -0,0 +1,71 @@
+module KeycloakAdmin
+  class ClientAuthzScopeClient < Client
+    def initialize(configuration, realm_client, client_id, resource_id = nil)
+      super(configuration)
+      raise ArgumentError.new("realm must be defined") unless realm_client.name_defined?
+      @realm_client = realm_client
+      @client_id = client_id
+      @resource_id = resource_id
+    end
+
+    def create!(name, display_name, icon_uri)
+      response = save(build(name, display_name, icon_uri))
+      ClientAuthzScopeRepresentation.from_hash(JSON.parse(response))
+    end
+
+    def list
+      response = execute_http do
+        RestClient::Resource.new(authz_scopes_url(@client_id, @resource_id), @configuration.rest_client_options).get(headers)
+      end
+      JSON.parse(response).map { |role_as_hash| ClientAuthzScopeRepresentation.from_hash(role_as_hash) }
+    end
+
+    def delete(scope_id)
+      execute_http do
+        RestClient::Resource.new(authz_scopes_url(@client_id, nil, scope_id), @configuration.rest_client_options).delete(headers)
+      end
+      true
+    end
+
+    def get(scope_id)
+      response = execute_http do
+        RestClient::Resource.new(authz_scopes_url(@client_id, nil, scope_id), @configuration.rest_client_options).get(headers)
+      end
+      ClientAuthzScopeRepresentation.from_hash(JSON.parse(response))
+    end
+
+    def search(name)
+      url = "#{authz_scopes_url(@client_id)}?first=0&max=11&deep=false&name=#{name}"
+      response = execute_http do
+        RestClient::Resource.new(url, @configuration.rest_client_options).get(headers)
+      end
+      JSON.parse(response).map { |role_as_hash| ClientAuthzScopeRepresentation.from_hash(role_as_hash) }
+    end
+
+    def authz_scopes_url(client_id, resource_id = nil, id = nil)
+      if resource_id
+        "#{@realm_client.realm_admin_url}/clients/#{client_id}/authz/resource-server/resource/#{resource_id}/scopes"
+      elsif id
+        "#{@realm_client.realm_admin_url}/clients/#{client_id}/authz/resource-server/scope/#{id}"
+      else
+        "#{@realm_client.realm_admin_url}/clients/#{client_id}/authz/resource-server/scope"
+      end
+    end
+
+    def save(scope_representation)
+      execute_http do
+        RestClient::Resource.new(authz_scopes_url(@client_id), @configuration.rest_client_options).post(
+          create_payload(scope_representation), headers
+        )
+      end
+    end
+
+    def build(name, display_name, icon_uri)
+      scope              = ClientAuthzScopeRepresentation.new
+      scope.name         = name
+      scope.icon_uri     = icon_uri
+      scope.display_name = display_name
+      scope
+    end
+  end
+end